From the horse’s mouth

USB.org

My Comments

Increasingly the USB connection standard has shown up a need to verify or authenticate device connections on a hardware level. Initially Apple had engaged in this practice with their iOS devices that use the Lightning connector to make sure that properly licensed Lightning cables are used with these devices. But there have been other reasons that this kind of authentication is needed.

One of the reasons was the existence of fake charging devices that are typically installed in public locations. These espionage tools look like plug-in AC chargers or “charging bars” but are really computing devices designed to harvest personal and corporate data from visitors’ smartphones and tablets. The mobile operating systems have been worked to address this problem whether through asking users what role the mobile device plays when it is connected to a host computing device or whether you trust the host device you connect your mobile device to it.

But there has also been concern raised about ultra-cheap USB Type-C cables, typically Type-A adaptor cables, that aren’t wired to standard and could place your laptop, smartphone or tablet at risk of damage. In this case, users want to be sure they are using good-quality properly-designed cables and power-supply equipment so that their devices aren’t at risk of damage.

The USB implementers Forum have established a connection-level authentication protocol for USB Type-C connections. This implements some of the authentication methods used by Apple for their Lightning connection to verify cables along with the ability to verify the devices that are on the other end of a USB Type-C connection.

For example, a traveller could rectify the “fake charger” situation by setting their mobile gadgets only to charge from certified USB Type-C chargers. Similarly, a business can use low-level authentication to verify and approve USB storage devices and modems to the computers under their control are connected to in order to prevent espionage and sabotage. Vehicle builders that supply software updates for their vehicles to rectify cyberattacks on vehicle control units can use this technique as part of their arsenal for authenticating any of these updates delivered to customers via USB sticks.

What needs to be established is that the USB interface chipsets installed on motherboards and other circuit boards need to be able to support this kind of authentication. Similarly, operating systems and device firmware would need to support the low-level authentication in order to reflect the user’s choice or company’s policy and communicate the status concerning USB Type-C devices properly to the end-user.

At least it is an industry-wide effort rather than a vendor-specific effort to verify and authenticate USB devices at the electrical-connection level rather than at higher levels.